Skip to main content

MPT attack patterns

Veracode Manual Penetration Testing uses the following CAPEC (Common Attack Pattern Enumeration and Classifications) attack patterns to group similar discovered findings (flaws).

Attack patterns describe the general methods employed to access and exploit the specific weaknesses that exist in the tested asset.

CAPEC is an effort led by Cigital, Inc. and is sponsored by the United States Department of Homeland Security's National Cyber Security Division.

Abuse of functionality

Exploitation of business logic errors or misappropriation of programmatic resources. Application functions are developed to specifications with particular intentions, and these types of attacks serve to undermine those intentions.

Examples:

  • Exploiting password recovery mechanisms
  • Accessing unpublished or test APIs
  • Cache poisoning

Spoofing

Impersonation of entities or trusted resources. A successful attack will present itself to a verifying entity with an acceptable level of authenticity.

Examples:

  • Man in the middle attacks
  • Checksum spoofing
  • Phishing attacks

Probabilistic techniques

Using predictive capabilities or exhaustive search techniques in order to derive or manipulate sensitive information. Attacks capitalize on the availability of computing resources or the lack of entropy within targeted components.

Examples:

  • Password brute forcing
  • Cryptanalysis
  • Manipulation of authentication tokens

Exploitation of authentication

Circumventing authentication requirements to access protected resources. Design or implementation flaws may allow authentication checks to be ignored, delegated, or bypassed.

Examples:

  • Cross-site request forgery
  • Reuse of session identifiers
  • Flawed authentication protocol

Resource depletion

Affecting the availability of application components or resources through symmetric or asymmetric consumption. Unrestricted access to computationally expensive functions or implementation flaws that affect the stability of the application can be targeted by an attacker in order to cause denial of service conditions.

Examples:

  • Flooding attacks
  • Unlimited file upload size
  • Memory leaks

Exploitation of privilege/trust

Undermining the application's trust model in order to gain access to protected resources or gain additional levels of access as defined by the application. Application that implicitly extend trust to resources or entities outside of their direct control are susceptible to attack.

Examples:

  • Insufficient access control lists
  • Circumvention of client side protections
  • Manipulation of role identification information

Injection

Inserting unexpected inputs to manipulate control flow or alter normal business processing. Applications must contain sufficient data validation checks in order to sanitize tainted data and prevent malicious, external control over internal processing.

Examples:

  • SQL Injection
  • Cross-site scripting
  • XML Injection

Data structure attacks

Supplying unexpected or excessive data that results in more data being written to a buffer than it is capable of holding. Successful attacks of this class can result in arbitrary command execution or denial of service conditions.

Examples:

  • Buffer overflow
  • Integer overflow
  • Format string overflow

Data leakage attacks

Recovering information exposed by the application that may itself be confidential or may be useful to an attacker in discovering or exploiting other weaknesses. A successful attack may be conducted passive observation or active interception methods. This attack pattern often manifests itself in the form of applications that expose sensitive information within error messages.

Examples:

  • Sniffing clear-text communication protocols
  • Stack traces returned to end users
  • Sensitive information in HTML comments

Resource manipulation

Manipulating application dependencies or accessed resources in order to undermine security controls and gain unauthorized access to protected resources. Applications may use tainted data when constructing paths to local resources or when constructing processing environments.

Examples:

  • Carriage Return Line Feed log file injection
  • File retrieval via path manipulation
  • User specification of configuration files

Time and state attacks

Undermining state condition assumptions made by the application or capitalizing on time delays between security checks and performed operations. An application that does not enforce a required processing sequence or does not handle concurrency adequately will be susceptible to these attack patterns.

Examples:

  • Bypassing intermediate form processing steps
  • Time-of-check and time-of-use race conditions
  • Deadlock triggering to cause a denial of service
Last updated on